Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
1.5, 1.5.2
-
None
-
JBoss 4.0.5 + deployed Liferay 4.2.2 on any Platform
Description
In 1.4.x inside RepositoryImpl.login(...) at first the local configuration is checked for configured LoginModules and after it was unsuccessful, the JAAS component is asked:
AuthContext authCtx;
LoginModuleConfig lmc = repConfig.getLoginModuleConfig();
if (lmc == null)
else {
...
With 1.5.x this behaviour has moved to SimpleSecurityManager.init(..) and is changed:
LoginModuleConfig loginModConf = config.getLoginModuleConfig();
authCtxProvider = new AuthContextProvider(config.getAppName(), loginModConf);
if (authCtxProvider.isJAAS())
else if (authCtxProvider.isLocal()) {
...
The problem is with JBoss JAAS implemantation, that authCtxProvider.isJAAS() is always true.
Because for any reason, the result of Configuration.getAppConfigurationEntry(appName) is never empty,
when a jaas.config is specified for Liferay. Using different appName takes no effect, always the configuration inside the jaas.config is used.
I think still first the local configuration should be concerned, before using JAAS.